what is the purpose of max-age in HSTS ? such as:
Strict-Transport-Security: max-age=100
If the value exceeds 100, what will happen ?
is there any best practice of setting the max-age ?
thanks !
Asked
Active
Viewed 1.0k times
1 Answers
11
There are semantically distinct ways to send HSTS headers, as defined in RFC 6797:
Strict-Transport-Security: max-age=31536000
The HSTS policy is applied only to the domain of HSTS host issuing it and remains in effect for one year.
Strict-Transport-Security: max-age=31536000; includeSubDomains
The HSTS policy is applied to the domain of the issuing host as well as its subdomains and remains in effect for one year.
Strict-Transport-Security: max-age=0
Directs the browser to delete the entire HSTS policy.
HSTS Best Practices
There are a few simple best practices for HSTS:
- The strongest protection is to ensure that all requested resources use only TLS with a well-formed HSTS header. Qualys recommends providing an HSTS header on all HTTPS resources in the target domain.
- It is advisable to assign the max-age directive’s value to be greater than 10368000 seconds (120 days) and ideally to 31536000 (one year). Websites should aim to ramp up the max-age value to ensure heightened security for a long duration for the current domain and/or subdomains.
- RFC 6797, section 14.4 advocates that a web application must aim to add the
includeSubDomaindirective in the policy definition whenever possible. The directive’s presence ensures the HSTS policy is applied to the domain of the issuing host and all of its subdomains, e.g.example.comandwww.example.com. - The application should never send an HSTS header over a plaintext HTTP header, as doing so makes the connection vulnerable to SSL stripping attacks.
- It is not recommended to provide an HSTS policy via the http-equiv attribute of a meta tag. According to HSTS RFC 6797, user agents don’t heed http-equiv=”Strict-Transport-Security” attribute on elements on the received content.
This cheat sheet from OWASP might help you out in future too.
